During the past year, various agencies have bought or expressed interest in buying products compliant with a Microsoft operating system set to lose security support next week, according to a review of federal solicitations and the agencies themselves. The Air Force, Navy and Marine Corps, as well as the Veterans Affairs, Labor and State departments are a few of the Windows XP holdouts.

Microsoft will stop updating the 12-year-old operating system on April 8. With the company's software developers out of the picture, hackers who find holes can drop "0-day exploits,” or malicious software that penetrates systems running XP before anyone has time to fix them.

But some agencies need Windows XP to run mission-critical applications that are incompatible with newer operating systems. Others, fearing they might miss the cutoff date for security support, want products that will function on existing systems.

Here's a sample of the roughly 195 solicitations posted within the past year specifying Windows XP compliance:

The Air Mobility Command in May 2013 bought a $6,875 touch screen computer that was required to support "Windows XP Professional SP3 32 bit."

The Naval Research Laboratory announced in April 2013 that it intended to award a contract for a computer, with various accessories and "Windows XP Installation."

In April 2013, the I Marine Expeditionary Force at Camp Pendleton, Calif., solicited software to model sound propagation that was "compatible with a Windows XP OS."

Last month, Veterans Affairs posted an ad seeking an XP-compatible system to enable online registration for the National Veterans Golden Age Games, an event for older vets currently under care of the VA medical system.

Two special notebooks at a Labor agency needed Windows XP to run software that supports a critical-mission function.

State announced roughly 175 solicitations and awards for XP-compatible information technology tools and services.

A Legacy Issue

Roughly 3 percent of the Pentagon's several million unclassified and classified Windows machines are still running XP software, according to military officials.

Machines remaining on XP tend to require special engineering and testing "to make sure that function and dependability are still correct after an operating system change,” Richard Hale, deputy chief information officer for cybersecurity at Defense, said during an interview. “Those tend to also be systems that get deployed often in places that have high operations tempo like ships. So it then takes us a while to deploy those."

Defense has been upgrading, primarily to other Windows versions, at a rate of up to 60,000 computers a month.

“It will probably take us several years to get the last Windows XP" machines transitioned, Hale said of approximately one percent of the department’s Windows machines. "There may be some special cases that take longer.”

Hale could not speak to the specific solicitations the services have issued but said he believes they pertain to systems stuck in the changeover. “As recently as a year ago, we had hundreds of thousands of Windows XP machines, and so people have had to support them as they transitioned their networks to Windows 7 or Windows 8," he said. "They’ve had to support them and they will need to support them until they are completely out of the inventory.”

All military devices, whether on XP or upgraded software, are protected by layers of security systems, Hale said.

For instance, “we have perimeter defenses that look for malware and can block it,” as well as Defensewide email scanning and intrusion detection systems, he said.

Cyber Command to the Rescue

Military cyber personnel will be paying attention to XP-enabled threats. "Cyber Command is the top operator for the department and top defender for all of this stuff," Hale said. Every information security employee takes orders from the command.

While the military is not adding extra levels of defense as a direct consequence of Microsoft's decision to terminate support for the old operating system, “our operations force will be attuned to Windows XP attacks just in case those go up after April 8,” he said.

Not all federal contracting documents mentioning XP required technology dependent on that platform alone, indicating the purchasing agency could be planning to soon switch platforms. For example, in May 2013, Veterans Affairs asked for a mobile device security tool that "must be compatible with [i]OS, Android, Windows Mobile, Blackberry, Windows XP, Windows 7, and Windows 8."

VA needs a Windows XP system for the Golden Age Games because agencies are at different stages of the conversion, according to a March 18 solicitation. "Migration from Windows XP to Windows 7 is not yet complete within all of VA," the request for proposals states. "As a result, compatibility with and support on Windows XP, Internet Explorer 7 and Microsoft Office 2007 are also required until April 2014 when Microsoft’s extended support for Windows XP ends."

Veterans Affairs officials said that more than 99 percent of the department's IT inventory -- about 390,000 Windows computers -- is now on Windows 7. The systems still on XP "are not compatible with Windows 7 and must be updated before the systems can be upgraded to the new operating system," VA spokeswoman Genevieve Billia said in an email.

Those outliers seem to be creating disruptions and racking up expenses, even if not creating risks.

"Some of the remaining XP systems will be removed from the network and other mitigation strategies will be put into place for those that remain," Billia said, adding that the department might purchase extended support from Microsoft.

Labor officials expect to move all computers to newer Windows platforms by May. As with all such transitions, officials said, the department is encountering some exceptions, such as the two notebooks.

"We continually monitor for security vulnerabilities, and those efforts include XP-based systems that are being discontinued as well as the few XP-based functions that will remain in place until replacements are implemented," a Labor spokeswoman said in an email.

State, during the past year, apparently wanted a lot of technology that would work with Windows XP but not necessarily depend on it to function properly.

“The U.S. Department of State does not have any 'XP reliant' initiatives, and our intent is to be off of Windows XP by the April 8 deadline," a senior State official said in an email. "We will not be paying Microsoft for additional XP support after April 8. Our solicitations do indeed work with Windows 7, and may have been requested to be compatible with Windows XP out of an abundance of caution.”

FROM OUR SPONSORS

sponsored

JOIN THE DISCUSSION

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Nextgov does not monitor comments posted to this site (and has
no obligation to), it reserves the right to delete, edit, or move any material that it deems to
be in violation of this rule.

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

Data-Centric Security vs. Database-Level Security

Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.